There's a day in the calendar for every occasion: International Women's Day, Beer Day and even Europe's Data Protection Day. But data security doesn't just play a major role at our company on one day – it's very important to us all year round.
The European General Data Protection Regulation (EU GDPR) came into force on 25 May 2018. And there was little escaping it. Data protection hasn't of course just been a priority for us since that date. The GDPR brought in a number of changes that all had to be carefully noted and then implemented in our daily business. I'll now give you a brief insight into how we deal with the issue of data protection and what processes we have at the company.
External data protection officer
Herth+Buss already had its own external data protection officer before introduction of the GDPR. This officer is entrusted by Management with responsibility for dealing with all issues, queries and problems that crop up relating to data protection and for setting up a data security management system. The external data protection officer was also responsible for implementing the changes associated with the GDPR, with me acting as a data protection coordinator at our company.
What exactly does that mean?
I'll illustrate this with the example of our record of processing activities:
Here it's first important to identify all processes at our company where personal data is processed. Personal data includes e-mail address and similar information. Every process identified then has to be analysed whether, for example, it concerns special categories of personal data and whether there is a suitable concept for erasing it, including a deadline for doing so. A risk analysis must also be performed.
Risk analysis generally determines the likelihood of a whole range of serious incidences occurring. One such case could involve being attacked by hackers. We assess the severity and consequences of being hacked. If this risk analysis shows a high risk, a data protection impact assessment must then also be carried out.
All processes registered here are documented and stored in the record of processing activities. This is of course an ongoing process, and the record is continuously updated with any changes to processes or the introduction of new ones.
The data protection officer naturally has other tasks besides the record of processing activities. Numerous enquiries, e.g. the introduction of a new application at the company, are assessed by the data protection officer, who decides whether data protection is directly affected. And if so, whether the application meets all necessary conditions to satisfy data protection claims.
For greater data protection
Continuous staff training is of course important here. This way we ensure that employees are always up to date, and it allows questions or problems to be solved without delay.
If you want to know more about how we deal with information security, take a look at our article on it.